Monday, January 09, 2012

Earlier today I noticed I was getting a lot of TCP port 6515 proxies on The List.

Curious, I checked one and it gave me a VIA header of

1.1 Fran-PC (McAfee Relay Server 5.2.3)

Then I took a peek at the database. Nearly 1900 of these things since December 1st, 2011. Although the name of the PC above is a dead giveaway that this is some sort of consumer product ("[name-of-owner]-PC" is the default Windows machine name created during setup), a quick check of the DNS names of these boxes confirms they are all on residential IP addresses.

So what is "McAfee Relay Server"? I'm guessing it's one of those snarky products they stick you with whenever you buy a new PC. This makes sense, since December is a big month for new PCs.

But why install it as an open proxy?

If it's a "security product" I hope it's a honeypot.

UPDATE: BIG LIST OF MCAFEE VIA HEADERS

This is what I have been able to salvage from the proxy run logs that I still have. All of December is basically lost, unfortunately.